drivers/acpi/video.c: null pointer dereference

drivers/acpi/video.c: null pointer dereference

[Adrian Bunk]

The Coverity checker found the following null pointer dereference in 
drivers/acpi/video.c:

<--  snip  -->

...
static int
acpi_video_switch_output(
...
{
...
        struct acpi_video_device *dev=NULL;
...
        list_for_each_safe(node, next, &video->video_device_list) {
                struct acpi_video_device * dev = container_of(node, struct acpi_video_device, entry);
...
        }
...
        switch (event) {
        case ACPI_VIDEO_NOTIFY_CYCLE:
        case ACPI_VIDEO_NOTIFY_NEXT_OUTPUT:
                acpi_video_device_set_state(dev, 0);
                acpi_video_device_set_state(dev_next, 0x80000001);
                break;
        case ACPI_VIDEO_NOTIFY_PREV_OUTPUT:
                acpi_video_device_set_state(dev, 0);
                acpi_video_device_set_state(dev_prev, 0x80000001);
...

<--  snip  -->


Two different variables of the same name within 40 lines of code are a 
good indication that something's wrong...


The outer "dev" variable is never assigned any value different from 
NULL.

acpi_video_device_set_state dereferences this variable.


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

Re: drivers/acpi/video.c: null pointer dereference

[Len Brown]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

On Thu, 2005-03-24 at 15:37, Adrian Bunk wrote:
> The Coverity checker found the following null pointer dereference in
> drivers/acpi/video.c:
> 
> <--  snip  -->
> 
> ...
> static int
> acpi_video_switch_output(
> ...
> {
> ...
>         struct acpi_video_device *dev=NULL;
> ...
>         list_for_each_safe(node, next, &video->video_device_list) {
>                 struct acpi_video_device * dev = container_of(node,
> struct acpi_video_device, entry);
> ...
>         }
> ...
>         switch (event) {
>         case ACPI_VIDEO_NOTIFY_CYCLE:
>         case ACPI_VIDEO_NOTIFY_NEXT_OUTPUT:
>                 acpi_video_device_set_state(dev, 0);
>                 acpi_video_device_set_state(dev_next, 0x80000001);
>                 break;
>         case ACPI_VIDEO_NOTIFY_PREV_OUTPUT:
>                 acpi_video_device_set_state(dev, 0);
>                 acpi_video_device_set_state(dev_prev, 0x80000001);
> ...
> 
> <--  snip  -->
> 
> 
> Two different variables of the same name within 40 lines of code are a
> good indication that something's wrong...
> 
> 
> The outer "dev" variable is never assigned any value different from
> NULL.
> 
> acpi_video_device_set_state dereferences this variable.
> 
> 
> cu
> Adrian

Looks like we should do this:



[-- Attachment #2: video.patch --]
[-- Type: text/plain, Size: 599 bytes --]

===== drivers/acpi/video.c 1.8 vs edited =====
--- 1.8/drivers/acpi/video.c	2005-01-06 02:06:20 -05:00
+++ edited/drivers/acpi/video.c	2005-03-24 15:44:33 -05:00
@@ -1585,7 +1585,7 @@
 	ACPI_FUNCTION_TRACE("acpi_video_switch_output");
 
 	list_for_each_safe(node, next, &video->video_device_list) {
-		struct acpi_video_device * dev = container_of(node, struct acpi_video_device, entry);
+		dev = container_of(node, struct acpi_video_device, entry);
 		status = acpi_video_device_get_state(dev, &state);
 		if (state & 0x2){
 			dev_next = container_of(node->next, struct acpi_video_device, entry);